Network traffic is saturated going outbound....

[NetOpsTech]

I am trying to find the source or sources of why my network traffic is saturated going outbound.

I set up a syslog server and have my pix sending it type 6 info alerts. I found some obvious problems and patched the pc's but that did not solve my problem.

I have also been running a sniffer (sniffer4.5 & ethereal) but Ido not see anything obivous there either.

What should I be looking for specifically? Any one have any filters set up for ethereal that they would like to share?

 

[thedaver]

Sounds like a machine has been hijaaked by a spam sending tool.

Can you monitor the traffic my switch port to figure out which machine(s) is causing the traffic.


Surfinbox.com Business Internet Services - National Dialup, DSL, T-1 and more.

http://www.surfinbox.com/business/

 

[NetOpsTech]

When we shut down our webserver the traffic went back to normal.

Where do you suggest I look for a spam sending tool.

 

[skotman]

PeteTech,
I'm assuming you have a switch.. This is why you can't see anything abnormal. If you have a hub laying around plug your web box, and your maching running sniffer into the hub, then plug the uplink into your switch (If you have a fancy switch you can mirror the port but I have no idea how to do that) Run your sniffer and set a filter to only look at traffic from your web box.

I'm willing to be you either have the SQL worm (new varients are going around again) if you have SQL or MSBlaster.

I had the SQL worm take me down almost a year ago, I couldn't even get into the box to turn sql off till I could patch it. I had to actually go unplug the ethernet cable and install the patch from CD.
Reminder
check for new patches weekly to avoid this.

 

[NetOpsTech]

The web server thing was just a coincidence.

I have two PIX to syslog logs that I looked thorough, But this time I used firewallanalyzer to do a report based on syslog data. Here is what I found:

12/4 12:33pm -2:18pm:

106011 No routing to arrival interface. event count 124426 38.45%
302013 Built TCP connection event count 84424 26.09%
106015 Deny TCP no connection established. event count 67932 20.99%
305011 TCP UDP ICMP Address Translation slot created. event count 33707 10.42%
302015 Built UDP connection event count 10883 3.36%
106023 Deny IP packet by access-list. event count 1884 0.58%
305005 Translate group not found. event count 192 0.06%
110001 No route.event count 54 0.02%
609001 event count 33 0.01%
305009 Address Translation slot created. event count 24 0.01%

Patched all the 106011 PC with latest security patched from Microsoftand the error event went away. I didn't know whatto make of the 106015 events because they were from different PC's.


12/5 every 30 min starting at mindnight to 6 am:

106015 Deny TCP no connection established. event count 87481 75.67%
302013 Built TCP connection event count 11310 9.78%
302015 Built UDP connection event count 5048 4.37%
305011 TCP UDP ICMP Address Translation slot created. event count 3854 3.33%
305012 Teardown TCP UDP ICMP Address Translation slot. event count 3830 3.31%
106023 Deny IP packet by access-list. event count 3587 3.10%
305005 Translate group not found. event count 380 0.33%
110001 No route. event count 60 0.05%
302010 TCP connections in use. event count 21 0.02%
609002 Network state container for the host IP address connected to interface name is removed. event count 13 0.01%


A rdiculous amount of 106015 messages, 75% of my traffic, these come from about 10 different outside IP's.